If you want to execute a command securely and predictably, it may be better to use the command module instead. Best practices when writing playbooks will follow the trend of using command unless the shell module is explicitly required. When running ad-hoc commands, use your best judgement.

Check mode is supported when passing creates or removes. If running in check mode and either of these are specified, the module will check for the existence of the file and report the correct changed status. If these are not supplied, the task will be skipped.

To sanitize any variables passed to the shell module, you should use “{{ var | quote }}” instead of just “{{ var }}” to make sure they don’t include evil things like semicolons.

An alternative to using inline shell scripts with this module is to use the script module possibly together with the template module.

-name:Execute the command in remote shell; stdout goes to the specified file on the remote.shell:somescript.sh >> somelog.txt-name:Change the working directory to somedir/ before executing the command.shell:somescript.sh >> somelog.txtargs:chdir:somedir/# You can also use the 'args' form to provide the options.-name:This command will change the working directory to somedir/ and will only run when somedir/somelog.txt doesn't exist.shell:somescript.sh >> somelog.txtargs:chdir:somedir/creates:somelog.txt-name:Run a command that uses non-posix shell-isms (in this example /bin/sh doesn't handle redirection and wildcards together but bash does)shell:cat < /tmp/*txtargs:executable:/bin/bash-name:Run a command using a templated variable (always use quote filter to avoid injection)shell:cat{{myfile|quote}}# You can use shell to run other executables to perform actions inline-name:Run expect to wait for a successful PXE boot via out-of-band CIMCshell:|set timeout 300spawn ssh [email protected]{{cimc_host}}expect "password:"send "{{cimc_password}}\n"expect "\n{{cimc_name}}"send "connect host\n"expect "pxeboot.n12"send "\n"exit 0args:executable:/usr/bin/expectdelegate_to:localhost# Disabling warnings-name:Using curl to connect to a host via SOCKS proxy (unsupported in uri). Ordinarily this would throw a warning.shell:curl --socks5 localhost:9000 http://www.ansible.comargs:warn:False